A new form of browser-based cross-platform malware can give hackers remote access to computers running Apple's OS X, Microsoft's Windows, and even Linux.

The multi-platform backdoor malware was disclosed this week by security firm F-Secure. It was originally discovered on a Colombian Transport website, and relies on social engineering to trick users into running a Java Archive file, meaning it is not likely to be a major threat.

However, its cross-platform design is unique. If users grant permission to the Java Archive, the malware will secretly determine whether the user is running a Mac, a Windows PC, or a Linux machine. When running on a Mac, the malware will remotely connect to an IP address through port 8080 to obtain additional code to execute.

Anti-virus maker Sophos said on Wednesday that the new malware has the potential to affect a higher number of people because of its multi-platform strategy. Typically, malware and viruses target Windows PCs, as they represent the overwhelming majority of computers.

"Once it has found out which operating system you are running, the Java class file will download the appropriate flavor of malware, with the intention of opening a backdoor that will give hackers remote access to your computer," explained Graham Cluley, senior technology consultant with Sophos.

On a Mac, the new malware is defined as "Backdoor:OSX/GetShell.A. According to F-Secure, it is a PowerPC binary, which means users running a modern, Intel-based Mac must also have Rosetta installed.

While rare, cross-platform malware attacks are not unheard of. In 2010, a Trojan known as "trojan.osx.boonana.a" was a Java-based exploit that affected both Macs running OS X, as well as Windows PCs.

As Apple's Mac platform has grown in popularity and outpaced the PC market as a whole, the OS X platform has become a bigger target for hackers. Last month, Apple opted to tone down promotional language on its website that once claimed the Mac "doesn't get PC viruses." Apple's website now says that OS X is "built to be safe."

That change was made just a few months after more than 600,000 Macs were estimated to have been infected by a trojan horse named "Flashback." More than half of the Macs believed to be infected by the botnet were found in the U.S. alone before Apple aggressively released a series of software updates to quash the malware.

Never accept self-trusted certs, or certs with issues of any kind, like having untrusted root CAs. Even if you trust the hosting website, which can be hacked.

Except every University or large corporation I've ever visited or worked for has self-trusted and sometimes unsigned certificates from time to time. The reality is that you just have to trust sometimes.

So let me get this straight. In order for a Mac to get infected you A) must have Java installed AND active and B) you must have Rosetta installed and C) you have to fall for the malware social engineering ploy.

I'm running Lion with Java installed but not turned on. Since The latest Java update turns Java off by default and will turn it off if inactive after a period of time I wonder how many Macs will be vulnerable.

Originally Posted by "Apple
[" url="/t/151217/new-java-malware-attacks-apples-os-x-along-with-windows-linux#post_2144766"]These social engineering tricks and malware scams are targeting dumb people, because that's what somebody has to be, in order to get tricked by this.

ComuTV? And it says right there in very red letters, "This root certificate is not to be trusted". If somebody clicks "continue", then they only have themselves to blame.

If there were no "dumb" people in the world we wouldn't need a GUI would we. The whole idea of personal computing is to make the technology useable by all. The "smart" people in some ways are responsible for keeping the "dumb" people safe in spite of themselves.

Never accept self-trusted certs, or certs with issues of any kind, like having untrusted root CAs. Even if you trust the hosting website, which can be hacked.

That doesn't even help you. There are plenty of less reputable CA's that might sign a certificate for something that isn't above-board. Hopefully bank0famerica.com wouldn't get through any more, or other similar typo-squats, but have you ever looked at the list of default root CAs installed on your machine? It is a trust chain, and if you don't trust the people at the top.

Then there is the problem of appliances with self-signed certs, like routers and VOIP phones. What if someone placed malware on them-- to administer you need to trust the cert.

About all you can do is compartmentalize risk. That is getting harder and harder to do when companies track not only cookies and IP addresses but linked behavior with other sites. I can't find a practical solution for that yet other than using an untrusted account on a non-critical server with a different user and password database than the critical servers for VNC/ssh access.

First Flash, now Java… what else is total crap that we can get rid of?
OS X shouldn't have to suffer this nonsense.

To be fair, this is not exploiting a security weakness in Java. It's exploiting a weakness in users. If you're dumb enough to download a random file from the internet, and run it despite security warnings, then it doesn't matter what language it's written it.

If there were no "dumb" people in the world we wouldn't need a GUI would we. The whole idea of personal computing is to make the technology useable by all. The "smart" people in some ways are responsible for keeping the "dumb" people safe in spite of themselves.

Sure, I don't disagree, but there are limits as to how much technology can protect a person. At the end of the day, each person has to be responsible for what they do.

If a person is likely to get scammed through the telephone or by a door salesman or by an email from Nigeria, then they are a likely candidate to also get scammed by this malware.

Never accept self-trusted certs, or certs with issues of any kind, like having untrusted root CAs. Even if you trust the hosting website, which can be hacked.

That's exactly right, no offense but if you fall victim to this ploy it isn't like there weren't signs something was up. Does "not trusted" mean anything to anyone?

Considering Java also isn't installed by default on new Macs this is really a non-issue. Linux is actually more at risk than OS X here since java is installed by default on most Linux distros.

10.8 will bring welcome features for personal & corporate alike since it will let you restrict not only to the app store but also to external developers so long as they have a valid developer cert from Apple.

If there were no "dumb" people in the world we wouldn't need a GUI would we. The whole idea of personal computing is to make the technology useable by all. The "smart" people in some ways are responsible for keeping the "dumb" people safe in spite of themselves.

Really. I don’t care how smart you are it’s just simply less protuctive to try working in a command line world. Please don’t make stuff up. Thank you.

To be fair, this is not exploiting a security weakness in Java. It's exploiting a weakness in users. If you're dumb enough to download a random file from the internet, and run it despite security warnings, then it doesn't matter what language it's written it.

There's a tendency to assume an attitude of arrogance in fields where one has a degree of expertise. This isn't about being dumb, it's about exploiting lack of knowledge and bad habits instilled by daily work with computers. People get conditioned into clicking OK or Continue (especially on Windows) just to be able to get work done. After a while all those permissions dialogs just become noise that most people don't even read, mainly because even when they do, they don't understand what the dialogs are saying. (This is the fundamental flaw in, say, Android's permissions system. I'll bet most Android users have no idea what they are granting apps access to, all they know is that they have to allow stuff if they want it to run.)

I think this points out the advantages of iOS and the direction Apple is going with sandboxing on OS X. The operating system does need to protect users from these sorts of exploits.

Considering Java also isn't installed by default on new Macs this is really a non-issue. Linux is actually more at risk than OS X here since java is installed by default on most Linux distros.

10.8 will bring welcome features for personal & corporate alike since it will let you restrict not only to the app store but also to external developers so long as they have a valid developer cert from Apple.

There are still a LOT of people on Snow Leopard (with Rosetta installed), and will be for some time. The direction Lion and ML have gone has stopped many people from upgrading, at least for now.

Exactly! This could just as well be a nicely compiled Mac binary file.

As a side note people seem to want to resist some of Mountain Lions new security features but yet we see here clear reasons for Apple to tighten up on security. As incentives increase for people to exploit weaknesses in the OS we will see more security issues. We can all be thankful that this one requires the user to make a few mistakes to execute.

Quote:

Originally Posted by Rennaisance

To be fair, this is not exploiting a security weakness in Java. It's exploiting a weakness in users. If you're dumb enough to download a random file from the internet, and run it despite security warnings, then it doesn't matter what language it's written it.

Just what is this direction that has people so upset with Lion and Mountain Lion that they won't upgrade? Seriously I've yet to hear a sound explanation for this resistance. Considering the security related nature of this thread people should be looking kindly upon Mountain Lion as it tightens things up considerably.

Quote:

Originally Posted by elroth

There are still a LOT of people on Snow Leopard (with Rosetta installed), and will be for some time. The direction Lion and ML have gone has stopped many people from upgrading, at least for now.

You just have to be someone that doesn't work in tech and doesn't spend their spare time on sites like AppleInsider.

Statistically, that's everyone.

I don't think that somebody has to work in tech or be a computer expert to have common sense. Everybody should know that there are a ton of criminals lurking on the internet and they are looking to steal your money. There's no excuse for even the most computer illiterate person to not know that. I don't really see this scam as much different than getting scammed using more traditional methods, such as a scammer calling somebody on the telephone.

According to the article, Lion isn't affected. It's a PowerPC binary, and Apple dropped Rosetta support in Lion. So unless someone has gone to the extraordinary effort to get Rosetta running under Lion, there appears to be no impact.

These social engineering tricks and malware scams are targeting dumb people, because that's what somebody has to be, in order to get tricked by this.

ComuTV? And it says right there in very red letters, "This root certificate is not to be trusted". If somebody clicks "continue", then they only have themselves to blame.

This is more serious than the issue of dumb people. Java executions should be sandboxed. I sounds like, at least for some versions of Java, users are able to install and execute either native libraries that Java will access to Java code using JNDI to get unlimited access to the machine.

However, is PowerPC and Rosetta still important. I haven't missed Rosetta since it was pulled from the OS and I haven't missed the programs that utilized it.

Really. I don’t care how smart you are it’s just simply less protuctive to try working in a command line world. Please don’t make stuff up. Thank you.

Maybe you shouldn't make stuff up, either. The command line and the gui both have their place, and there are things one can do on the command line far faster and more easily than in a gui--and vice versa.

Yep, unless you bare in business, you shouldn't even have Java installed, or turned on. The average user doesn't need it for squat.

While that is an admirable position to take it doesn't seem practical. My Etrade streaming quotes app is Java, Vimeo uses Java, Ebay uses Java, many Wordpress themes use Java. I can only assume there are many thousands of other ways Java is still used. It may be some time before most can take your advice.

First Flash, now Java… what else is total crap that we can get rid of?
OS X shouldn't have to suffer this nonsense.

How did i know some ignorant person would be the first person to jump in and troll flame java on this. Yes, please apple, strip us of all the things that make OS X worth using! Next, please remove Apache, PHP, and Ruby! Afterwards, find a way to yank our access to the terminal! Maybe next, yank our ability to write apps using anything but apple tech, because that will certainly make the Mac a worthwhile platform... surely.

While that is an admirable position to take it doesn't seem practical. My Etrade streaming quotes app is Java, Vimeo uses Java, Ebay uses Java, many Wordpress themes use Java. I can only assume there are many thousands of other ways Java is still used. It may be some time before most can take your advice.

Everything uses Java. People don't respect Java because the apps they use that run on it don't have big JavaTM logos all over them. Apple made a good move to put the onus on Oracle to push the Java updates to the Mac and bring feature parity to that of linux and windows for their dev platform, but talking about banishing Java or Flash or any other programming language just shows how ill-informed people are. I'd fully expect these were the same people blindly riding the Sony or Windows bandwagons years ago, championing a cause not worth it's weight in dog hair.

There are still a LOT of people on Snow Leopard (with Rosetta installed), and will be for some time. The direction Lion and ML have gone has stopped many people from upgrading, at least for now.

Actually according to Omni Software Update Statistics, the percentage of PowerPC users was less than 3% as of 2009, and how many people are still using Rosetta on Snow Leopard? Just because people might be unable to upgrade to Lion doesn't mean they're needing to use Rosetta to run 6+ year old PowerPC apps. If one must though, maybe consider disabling Java or don't bypass the warnings and install unknown java content.

While that is an admirable position to take it doesn't seem practical. My Etrade streaming quotes app is Java, Vimeo uses Java, Ebay uses Java, many Wordpress themes use Java. I can only assume there are many thousands of other ways Java is still used. It may be some time before most can take your advice.

Yeah, well it's the same argument as Flash two years ago though. Not one of the places you mention actually *needs* to use Java to do the things the particular site does. These sites use Java because it's easier and they are lazy or stuck in the past or have a developer that thinks Java is the bees knees etc.

Just like the situation with Flash, they won't stop using Java on these sites, until enough people disable Java and thus complain.

There's a tendency to assume an attitude of arrogance in fields where one has a degree of expertise. This isn't about being dumb, it's about exploiting lack of knowledge and bad habits instilled by daily work with computers.

Yes, I certainly agree with you here. OS's can and should be improved to prevent this from happening, just like Apple is doing with Gatekeeper in Mountain Lion.

My point was that it's a bit unfair to frame this as a Java problem as it's not exploiting an actual weakness or security flaw in Java. This could just as easily be a rogue native app.